Spyware, viruses, & security forum: NEWS - May 31, 2012

Google revamped its reCAPTCHA system, used to block automated scripts from abusing its online services, just hours before a trio of hackers unveiled a free system that defeats the widely used challenge-response tests with more than 99 percent accuracy.

Stiltwalker, as the trio dubbed its proof-of-concept attack, exploits weaknesses in the audio version of reCAPTCHA, which is used by Google, Facebook, Craigslist and some 200,000 other websites to confirm that humans and not scam-bots are creating online accounts. While previous hacks have also used computers to crack the Google-owned CAPTCHA (short for Completely Automated Public Turing test to tell Computers and Humans Apart) system, none have achieved Stiltwalker's impressive success rate.

"The primary thing which makes Stiltwalker stand apart is the accuracy," wrote Adam, one of the three hackers who devised the attack, in an e-mail. "According to the lead researcher from the Carnegie Mellon study, the system we attacked was believed to be 'secure against automatic attack,'" he added, referring to this resume (pdf) from a Carnegie Mellon University computer scientist credited with designing the audio CAPTCHA.

Continued : http://arstechnica.com/security/2012/05/google-recaptcha-brought-to-its-knees/

Also: Google's reCAPTCHA briefly cracked

CSIS Security Group A/S has uncovered a new trojan-banker family which we have named Tinba (Tiny Banker) alias "Zusy".

Tinba is a small data stealing trojan-banker. It hooks into browsers and steals login data and sniffs on network traffic. As several sophisticated banker-trojan it also uses Man in The Browser (MiTB) tricks and webinjects in order to change the look and feel of certain webpages with the purpose of circumventing Two factor Authentification (2FA) or tricking the infected user to give away additional sensitive data such as credit card data or TANs.

Tinba is the smallest trojan-banker we have ever encountered and it belongs to a complete new family of malware which we expect to be battling in upcoming months.

The code is approx 20KB in size (including config and webinjects) and comes simple and clear without any packing or advanced encryption. Antivirus detection of the analyzed samples is low.

Tinba is upon execution utilizing an injection routine, which is obfuscated to primarily avoid antivirus detection. It allocates new memory space where this specific injection function is stored and injects itself into the newly created process "winvert.exe" (Version Reporter Applet) dropped into the windows system folder. Tinba also injects itself into both "explorer.exe" and "svchost.exe" processes.

Continued : http://www.csis.dk/en/csis/news/3566/

UK regulator PhonepayPlus (fomerly known ICSTIS) has imposed a fine of £50,000 on a payment provider used for an Android malware-based fraud and forced it to reimburse customers' losses. Last December, unknown perpetrators posted fake versions of popular applications on Google's Play store (formerly the Android Market) which sent out expensive premium rate text messages.

According to Android virus experts Lookout, the applications in question were based on the RuFraud malware and were customised to disguise themselves as 30-plus titles such as Angry Birds, Assassins Creed and Cut the Rope. These apps were downloaded an estimated 14,000 times, and sent out three premium rate text messages, costing £5 each, every time the user tried to open the app. Total losses to customers in the UK were estimated at £27,850.

PhonepayPlus was able to intervene before the money was transferred from payment services company A1 Agregator Limited to the perpetrators of the fraud. The UK registered limited company will now be required to return the money to affected smartphone users, including those who have not made a complaint, and pay a fine of £50,000.

http://www.h-online.com/security/news/item/Text-message-provider-to-pay-out-for-Android-malware-1585215.html

My efforts at "News" were a very poor substitute, and non existent this week.

Glad to see the proper News again Carol.

Mark

Apple has released a detailed security guide for its iOS operating system, an unprecedented move for a company known for not discussing the technical details of its products, let alone the security architecture. The document lays out the system architecture, data protection capabilities and network security features in iOS, most of which had been known before but hadn't been publicly discussed by Apple.

The iOS Security guide (pdf), released within the last week, represents Apple's first real public documentation of the security architecture and feature set in iOS, the operating system that runs on iPhones, iPads and iPod Touch devices. Security researchers have been doing ther best to reverse engineer the operating system for several years and much of what's in the new Apple guide has been discussed in presentations and talks by researchers.

One of the more-discussed security elements in iOS is the implementation of ASLR (address space layout randomization), an exploit mitigation that's designed to prevent attackers from using memory corruption bugs. Researchers discovered the addition of ASLR to iOS, but Apple never really talked about it.

"Built-in apps use ASLR to ensure that all memory regions are randomized upon launch. Additionally, system shared library locations are randomized at each device startup. Xcode, the iOS development environment, automatically compiles third-party programs with ASLR support turned on," the security guide says.

Continued : http://threatpost.com/en_us/blogs/apple-details-ios-security-features-new-guide-053112

The House Financial Services Committee is slated to hold a hearing this Friday on the impact of cyber heists against small- to mid-sized businesses. It's too bad the committee has already finalized its witness list: It likely would be shocked to hear the story of Tennessee Electric Company Inc., a firm that lost $328,000 earlier this month in an account takeover that defeated multiple security measures commonly used by commercial banks to stop cyber thieves.

Executives at the Kingsport, Tenn. based construction and maintenance contractor thought that the security procedures employed by their bank — one-time tokens and verbal approval for all transactions — would deter attackers. But they recently discovered how deftly today's e-thieves can bypass such defenses.

The attack began sometime before May 9, when thieves stole the online banking credentials for Tennessee Electric, presumably with some type of malicious software such as the ZeuS Trojan. That morning, the company's controller Jenni Smith logged into the firm's account at the Web site of Tri-Summit Bank, entering her password and a one-time password generated by a key fob supplied by the bank. After Smith entered the information, however, her browser was redirected to a Web page stating that the bank's site was down for maintenance and would be offline for about an hour.

But the thieves lurking on Smith's PC intercepted that one-time password, used her connection to log on to the bank's site, and redirected her browser to the fake maintenance page. Meanwhile, the attackers used that browser session to put through a batch of fraudulent payroll payments to at least 50 "money mules," willing or unwitting individuals scattered throughout the United States who were recruited to help the crooks funnel the funds out of the country.

Continued : http://krebsonsecurity.com/2012/05/house-committee-to-probe-e-banking-heists/

I'm ever so sorry, Mark.

I have no right to laugh .. but ........ " I couldn't help it"!

Something about "News by a Geezer" struck me as (very) funny. It had nothing at all to do with you personally.

Thanks, Bob
Sorry again, Mark

"The greeting card company is now using an anti-phishing standard known as DMARC to help block fake e-mails."

Have you ever received an e-mail with a link to an e-card and wondered whether it was legit?

Those of you who send or receive e-cards via American Greetings now have an extra layer of protection against phony phishing e-mails.

Working with security company Agari, American Greetings has put in place a new spec called DMARC (Domain-based Message Authentication, Reporting and Conformance) geared toward protecting its users.

DMARC is a verification system that can determine whether e-mails are coming from legitimate senders or imposters trying to coax people to click on malicious links. The system shares feedback among companies to try to thwart phishers who attempt to send phony messages.

Google, Microsoft, Yahoo, and AOL have already been tapping into the system by sending data to Agari, which collects around 1.5 billion messages per day and analyzes them for phishing patterns. Other companies part of the DMARC.org organization include Facebook, PayPal, Comcast, LinkedIn, and now American Greetings.

"Our goal is to instill confidence with each email we send, so every user can proceed with complete assurance of the integrity and authenticity of the AG Interactive brand," Gary Von Hoch, vice president of web operations and IT for American Greetings Interactive, said in a statement. "Working with Agari will allow us to focus on continuing to proactively investigate abuse while leveraging real-time reports and alerts, so we can immediately take appropriate action to shut down and correct issues that may arise."

Continued: http://news.cnet.com/8301-1009_3-57443691-83/american-greetings-raises-e-card-defenses-against-phishers/